What I would do is create a separate internal network with your DNS server. Create a separate network with a /24 netmask. Ideally physically separate it to your main network. As others have suggested, you can hijack the 53 forward packets to your DNS server in your separate network.

Do you have an available network interface in your pfsense router?

You probably want to change the WebGUI port to something different. (it binds to all local addresses… including the VIPs)

I agree with the Realtek assessment.  I was running a pfSense box that would freeze up randomly.  Root cause, Reaktek chipset on one of the NICs.  Replaced the Realtek chipset and it's been rock solid since.

Is this a question or a statement?

Glad you got it sorted out.

Thanks very much for letting us know. Glad it's sorted out.

Outbound NAT has nothing to do with where traffic is routed. It only determines what translations happen when such traffic is already routed out that interface. What you are seeing has absolutely nothing to do with the introduction of Hybrid Outbound NAT mode despite your conclusions.

If you are policy routing over the VPN then traffic sourced from the firewall itself is not subject to policy routing because it never enters the interface with the policy routing rules on it.

If you are accepting a default route from the VPN provider then traffic sourced from the firewall itself should follow that route while that VPN is up.

It may take it's settings only when it's started in which case enabling it after wards will not have any effect.

It's hard to say what the issue is there.

Maybe run  a packet capture to look at what's happening.

Devices that don't allow you to enter the IP of the resource always seem like the result of lazy programmers to me, relying entirely on auto-discovery.

Steve

My pfsense box is now setup properly (i guess). I edited my original post.

I am now facing only one problem with the VLAN on the HP Procurve 2920 switch.

I do not know if may belong here but you might be able to help me :)
I have a default VLAN_DEFAULT with ID 1 on the switch with untagged ports 1-4,25-48. The pfsense box is connected to port 48.

Then i have the VLAN with ID 10 with untagged ports 5-24 for computers.

When i connect my laptop to port 1 for example, the default VLAN, i have internet and can ping all VLANs.
When i connect my laptop to port 5 however, i get an "unidentified network" with "no internet" on my laptop.

Do i have to add a NAT rule or similar on pfsense to get this working?

No, that procedure works. You might have been experiencing some extra-special fs corruption.

FWIW, I am having exactly the same NTP widget issue. I will try clearing my Firefox cache to see if that fixes things. Thanks for the suggestion.

Update
Clearing the cache and reinstalling the widget had no effect, the issue remains.

Update 2
Chrome does not suffer from the problem. Chrome keeps perfect time. My Firefox installation continues to suffer, however.

Cheers,
Pete

anyone got grafana template to share?

I found the malefactor: my p2p client resilio sync on my synology server. This is causing all the trouble with the new router.

When I turn the sync off / stop the app it’s working like before. Shortly after turning it on, the whole network Stucks. I think it has something with UPnP to do.

Hi,
I have the same problem:

Aug 25 15:04:12 kernel pfr_update_stats: assertion failed. Aug 25 14:51:13 kernel pfr_update_stats: assertion failed. Aug 25 14:45:54 kernel pfr_update_stats: assertion failed. Aug 25 14:37:32 kernel pfr_update_stats: assertion failed. Aug 25 14:32:15 kernel pfr_update_stats: assertion failed. Aug 25 14:32:04 kernel pfr_update_stats: assertion failed. Aug 25 14:31:52 kernel pfr_update_stats: assertion failed. Aug 25 14:22:45 kernel pfr_update_stats: assertion failed. Aug 25 14:22:45 kernel pfr_update_stats: assertion failed. Aug 25 14:22:23 kernel pfr_update_stats: assertion failed. Aug 25 14:22:23 kernel pfr_update_stats: assertion failed. Aug 25 14:21:37 kernel pfr_update_stats: assertion failed. Aug 25 14:10:19 kernel pfr_update_stats: assertion failed. Aug 25 14:07:55 kernel pfr_update_stats: assertion failed. Aug 25 13:50:40 kernel pfr_update_stats: assertion failed.

PfSense 2.3.4-RELEASE-p1 (amd64) installed on HDD, the only package that is installed is FTP_Client_Proxy.
It is a Dell PowerEdge R310 with these network adapters:
2 embedded Broadcom NetXtreme II Gigabit Ethernet (firmware 08.07.26)
Intel(R) Gigabit ET Quad Port Server Adapter

The problem started with the update from 2.1.5 to 2.3.4_1 (via 2.3.4).
The day before I updated the Broadcom firmware to the latest version by Dell, but I did not see this error until I updated pfsense.

This was the secondary firewall of an HA firewall pair with pfsense 2.1.5 amd64 full install with package pfflowd.
Not complex configuration, but we have many rules.
We have 13 interfaces and an interface group, we use carp, pfsync, xmlrpc sync, vpn: more than 60 openvpn and 10 ipsec, lag, vlan, dhcp server, dns forwarder, ntp…

I have 2 LAG (whith LACP): igb0,igb1 and igb2,igb3.
One LAG is assigned to an interface, the other has some VLANs.
One Broadcom is directly connected to the other firewall (sync).

The primary firewall has carp disabled,
I have disabled pfsync and xmlrpc sync in both firewall and I have tried to shutdown the primary firewall.
I tried to disable the only floating rule that we have (deny rule).
I have backupped the config and done a fresh install of pfsense 2.3.4, upgraded to 2.3.4_1 and imported the config, but The problem persists.

EDIT: I started again primary firewall with 2.1.5 (with same Dell firmware updates of secondary firewall), it worked fine for serveral hours and the secondary firewall with 2.3.4_1 didn't log errors anymore,
ok it was in backup state, so no virtual ip, no vpn and no one used it as a gateway, but it received broadcast traffic, traffic directed to its ips and dhcp server has continued working.
When I turned off carp on the 2.1.5 firewall, the 2.3.4 came back primary and after few minutes the error appeared again.

Any suggestion to fix this issue?
Thanks in advance,
Gianluca.

There were three crashes in that submission and they were all different:

db:0:kdb.enter.default>  show pcpu cpuid        = 1 dynamic pcpu = 0x20ce5200 curthread    = 0xc7abbc80: pid 12 "irq277: em0:tx0" curpcb      = 0xebde2d40 fpcurthread  = none idlethread  = 0xc7711c80: tid 100004 "idle: cpu1" APIC ID      = 1 currentldt  = 0x50 db:0:kdb.enter.default>  bt Tracing pid 12 tid 100096 td 0xc7abbc80 kdb_enter(c147c716,c147c716,c16439c7,c1fb7994,1,...) at kdb_enter+0x3d/frame 0xc1fb7940 vpanic(c16439c7,c1fb7994,c1fb7994,c1fb79ac,c12e7b2b,...) at vpanic+0x13b/frame 0xc1fb7974 panic(c16439c7,1,1,1,ebde2bdc,...) at panic+0x1b/frame 0xc1fb7988 dblfault_handler() at dblfault_handler+0xab/frame 0xc1fb7988 --- trap 0x17, eip = 0xc12d2098, esp = 0xebde2004, ebp = 0xebde2bdc --- Xpage(ebde2c30,c0d3d449,c7abbc80,ebdd2000,c7ac8000,...) at Xpage/frame 0xebde2bdc choosethread(c7abbc80,ebdd2000,c7ac8000,217,c7abbc80,...) at choosethread+0x1f/frame 0xebde2be4 sched_switch(c7abbc80,0,109,c7a19a00,0,...) at sched_switch+0x139/frame 0xebde2c30 mi_switch(109,0,c147751b,55b,ebde2d40,...) at mi_switch+0x122/frame 0xebde2c68 ithread_loop(c7ab37d0,ebde2ce8,ff5fe9ff,4100100,40005,...) at ithread_loop+0x1b1/frame 0xebde2ca4 fork_exit(c0cd8220,c7ab37d0,ebde2ce8) at fork_exit+0xa3/frame 0xebde2cd4 fork_trampoline() at fork_trampoline+0x8/frame 0xebde2cd4 --- trap 0, eip = 0, esp = 0xebde2d20, ebp = 0 --- Fatal double fault: eip = 0xc12d2098 esp = 0xebde2004 ebp = 0xebde2bdc cpuid = 1; apic id = 01 panic: double fault cpuid = 1 KDB: enter: panic cpuid        = 1 dynamic pcpu = 0x20ce5200 curthread    = 0xc7ff2000: pid 12 "swi1: netisr 1" curpcb      = 0xebf25d40 fpcurthread  = none idlethread  = 0xc7711c80: tid 100004 "idle: cpu1" APIC ID      = 1 currentldt  = 0x50 db:0:kdb.enter.default>  bt Tracing pid 12 tid 100144 td 0xc7ff2000 kdb_enter(c147c716,c147c716,c16439c7,c1fb7994,1,...) at kdb_enter+0x3d/frame 0xc1fb7940 vpanic(c16439c7,c1fb7994,c1fb7994,c1fb79ac,c12e7b2b,...) at vpanic+0x13b/frame 0xc1fb7974 panic(c16439c7,1,1,1,ebf25a40,...) at panic+0x1b/frame 0xc1fb7988 dblfault_handler() at dblfault_handler+0xab/frame 0xc1fb7988 --- trap 0x17, eip = 0xc12d2098, esp = 0xebf25008, ebp = 0xebf25a40 --- Xpage(10211ac,c7a1d400,ebf25b58,1,10000000,...) at Xpage/frame 0xebf25a40 ip_output(c9562500,0,ebf25b48,1,0,...) at ip_output+0xb36/frame 0xebf25b00 ip_forward(c9562500,0,0,1,0,...) at ip_forward+0x3ea/frame 0xebf25b88 ip_input(c9562500,c7ff2000,ebf25c68,72714af,2710,...) at ip_input+0xba8/frame 0xebf25bf0 swi_net(e2b9d880,0,246,0,302b14,...) at swi_net+0x15f/frame 0xebf25c3c intr_event_execute_handlers(109,c7f92b00,c147751b,55b,c31a070d,...) at intr_event_execute_handlers+0xaa/frame 0xebf25c68 ithread_loop(c7f7ae40,ebf25ce8,c2dc38d5,8,0,...) at ithread_loop+0x80/frame 0xebf25ca4 fork_exit(c0cd8220,c7f7ae40,ebf25ce8) at fork_exit+0xa3/frame 0xebf25cd4 fork_trampoline() at fork_trampoline+0x8/frame 0xebf25cd4 --- trap 0, eip = 0, esp = 0xebf25d20, ebp = 0 --- Fatal double fault: eip = 0xc12d2098 esp = 0xebf25008 ebp = 0xebf25a40 cpuid = 1; apic id = 01 panic: double fault cpuid = 1 KDB: enter: panic cpuid        = 3 dynamic pcpu = 0x20ceb200 curthread    = 0xc7711640: pid 11 "idle: cpu3" curpcb      = 0xe2bb6d40 fpcurthread  = none idlethread  = 0xc7711640: tid 100006 "idle: cpu3" APIC ID      = 3 currentldt  = 0x50 db:0:kdb.enter.default>  bt Tracing pid 11 tid 100006 td 0xc7711640 kdb_enter(c147c716,c147c716,c16439c7,c1fb7994,3,...) at kdb_enter+0x3d/frame 0xc1fb7940 vpanic(c16439c7,c1fb7994,c1fb7994,c1fb79ac,c12e7b2b,...) at vpanic+0x13b/frame 0xc1fb7974 panic(c16439c7,3,3,3,e2bb6c28,...) at panic+0x1b/frame 0xc1fb7988 dblfault_handler() at dblfault_handler+0xab/frame 0xc1fb7988 --- trap 0x17, eip = 0xc12d2098, esp = 0xe2bb6008, ebp = 0xe2bb6c28 --- Xpage(1,e2bb6c78,c147e0b3,a3d,6dccb163,...) at Xpage/frame 0xe2bb6c28 sched_idletd(0,e2bb6ce8,6240b163,1b424163,30ad2163,...) at sched_idletd+0x1dd/frame 0xe2bb6ca4 fork_exit(c0d3f900,0,e2bb6ce8) at fork_exit+0xa3/frame 0xe2bb6cd4 fork_trampoline() at fork_trampoline+0x8/frame 0xe2bb6cd4 --- trap 0, eip = 0, esp = 0xe2bb6d20, ebp = 0 --- Fatal double fault: eip = 0xc12d2098 esp = 0xe2bb6008 ebp = 0xe2bb6c28 cpuid = 3; apic id = 03 panic: double fault cpuid = 3 KDB: enter: panic

Even though they were all "double faults" the backtraces appear to be quite unrelated. To me, my first inkling in this case is to suspect the hardware over anything else.

On the outside chance it's a driver issue, try moving up to a 2.4.0-RC snapshot.

Thanks for the reply. will wait for the update :D thx.